Glossary

3DES (Triple Data Encryption Standard) A modification of the original DES algorithm that uses three separate keys when running its encryption algorithm and associated computations. Through the use of three separate keys, the key length was effectively increased from 8 characters to 24 characters, resulting in 168 bits-worth of encryption strength.

802.11b A family of specifications created by the Institute of Electrical and Electronics Engineers (IEEE) for wireless, Ethernet local-area networks (LANs) in 2.4 gigahertz bandwidth space.

802.11g A new IEEE high-speed wireless standard that allows users to transmit data at rates of up to 54 Mbps—nearly five times faster than 802.11b technology.

AAA (authentication, authorization, and accounting) Pronounced “triple A,” this technology is designed to verify a user’s identification, ensure that the user is authorized to make a given request, and collect information about the user transaction.

ACLs (access control lists) The method used to configure and deploy packet filters on Cisco routers. The two main types of ACLs are standard and extended ACLs; standard ACLs filter on IP address, and extended ACLs look further into a packet header if so configured.

active reconnaissance After a hacker has sufficient information about a target’s network, this phase usually begins through passive reconnaissance. The hacker begins taking some risks as he more actively scans and probes a target’s network. A hacker actively tries to determine the operating system, the services running, and where the routers and firewalls might be.

ad-hoc A wireless LAN (WLAN) mode of operation, also known as peer-to-peer wireless networking, in which several wireless computers need to transmit files to each other. This mode of operation is also known as Independent Basic Service Set (IBSS). You can think of ad-hoc as being able to happen without the use of an access point. Each computer can communicate directly with all the other wireless-enabled computers. They can share files and printers this way, but they are unable to access wired LAN resources unless one of the computers acts as a bridge to the wired LAN using special software. (This is called “bridging.”)

AH (Authentication Header) Provides authentication and antireplay services (optional). AH provides services to limited portions of the IP header and extended header but does not provide for encryption of the data by applying a one-way hash to create a message digest of the packet. AH is embedded in the data that is to be protected (a full IP datagram, for example). AH can be used either by itself or with Encryption Service Payload (ESP). Refer to RFC 2402. This protocol has largely been superseded by ESP and is considered deprecated.

application level firewall A type of firewall that provides the most secure data connections because they can examine every layer in the TCP/IP model of the communication process. To achieve this level of protection, these firewalls—also known as proxies—actually mediate and control connections by intercepting each connection and inspecting it. If the proxy determines that the connection is allowed, it opens a second connection to the server from itself, on behalf of the original host.

associating In a wireless LAN, the process that establishes communication between a wireless client and a wireless access point.

attack signature An attack signature details the patterns of misuse in network traffic (packets) that indicate that an attacker is attempting to gain entry into the protected network by using an attack, such as denial of service attempts or the execution of illegal commands during an FTP session.

authentication One of the functions of the IPSec framework. Authentication establishes the integrity of the data stream and ensures that it is not tampered with in transit. It also provides confirmation about data stream origin. The process of identifying an individual or device based on the correct username/password combination. Authentication does not determine what an individual is allowed to access, but merely that they are who they claim to be. Authorization defines what access an individual is allowed to have—assuming that they have been authenticated, of course!

bit bucket A lighthearted term meaning trash or garbage can. When saying that a packet is thrown in the bit bucket, this really means that the router, firewall, or proxy has chosen to discard the packet and ultimately all data is just bits (1s and 0s).

CA (Certificate Authority) A third-party entity that is responsible for issuing and revoking certificates. Each device that has its own certificate and public key of the CA can authenticate every other device within a given CA’s domain. This term is also applied to server software that provides these services.

CBAC (Context-Based Access Control) A stateful packet inspection (SPI) engine that extends the router’s filtering capability to the application layer (Layer 7) of the OSI reference model. This is accomplished using CBAC-based access lists CBAC as the heart of the Firewall Feature Set that tracks TCP, ICMP (as of Cisco IOS Software Release 12.2.15T), and UDP-based application packet flows between hosts on either side of the firewall (router), thus performing SPI.

CHAP (Challenge Handshake Authentication Protocol) A type of authentication in which the client and server know the password. The password is never sent between the devices; instead, MD5 is run on the password and the resulting hash is sent. The receiving device runs MD5 on its password and compares the hashes; if they match, the connection is allowed. By transmitting only the hash, the password cannot be reverse-engineered.

choke point Refers to a single point in which everything tries to either enter or leave your network.

choke point router A router that is the single point from which the entire Internet gains access to your network. The router, then, is also a single point of failure.

content filtering A collection of security solutions designed to monitor and filter content from the Internet, chat rooms, instant messaging, e-mail, e-mail attachments, web browsers, and other applications served over the Internet.

crypto map A Cisco IOS Software configuration entity that performs two primary functions: (1) selects data flows that need security processing and (2) defines the policy for these flows and the crypto peer to which traffic needs to go. A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but was expanded for IPSec.

CVE A list of standardized names for vulnerabilities and other information security exposures, CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. A dictionary, not a database, the goal of CVE is to make it easier to share data across separate vulnerability databases and security tools. While CVE might make it easier to search for information in other databases, CVE should not be considered a vulnerability database on its own merit. CVE’s content is a result of a collaborative effort of the CVE Editorial Board. The Editorial Board includes representatives from numerous security-related organizations such as security tool vendors, academic institutions, the government, and other prominent security experts. The MITRE Corporation maintains CVE and moderates Editorial Board discussions.

DDoS (Distributed Denial of Service) A type of attack wherein the target site (server or router) receives packets (ICMP, PING, or TCP SYN) that appears to be normal traffic. In reality, this traffic is not normal; the target site is actually flooded with these false packets, which prevent legitimate traffic from accessing the site and thus deny service to real users. In recent days, these attacks have become distributed in nature as computers throughout the World Wide Web join together to attack a site.

DDoS Daemon A specialized computer program that was designed for use in controlling and coordinating a DDoS attack. As of this writing, there are four known programs: Tribal Village (TFN), TFN2K, Trinoo, and Stacheldraht (which is German for “barbed wire”).

DES (Data Encryption Standard) A standard cryptographic algorithm developed by the U.S. National Bureau of Standards and modified from the IBM Lucifer algorithm.

Diffie-Hellman algorithm The first public-key algorithm, which is used in IKE negotiations to allow two peers to agree on a shared secret by generating the key for use.

digital signature A technological means by which you can guarantee that the individual sending the message really is who he claims to be.

DMZ (Demilitarized Zone) An interface added to a network device that acts as a buffer to protect Internet-accessible servers and services within a network.

downstream liability This latest entry into the realm of network security is concerned with the fact that, authorized or not, someone is using a system from Company A to attack Company Z; when Company Z investigates this attack, they find that the attack is coming from Company A. The question becomes, who is liable? To further this point, consider what might happen if these two companies are competitors and the attack succeeds?

dumpster diving 1. The practice of sifting refuse from an office or technical installation to extract confidential data, especially security-compromising information. (‘dumpster’ is an Americanism for what is called a ‘skip’ elsewhere). Back in AT&T’s monopoly days, before paper shredders became common office equipment, phone phreaks used to organize regular dumpster runs against phone company plants and offices. Discarded and damaged copies of AT&T internal manuals taught them a great deal. The technique is still rumored to be a favorite of crackers who operate against careless targets. 2. The practice of raiding the dumpsters behind buildings where producers or consumers of high-tech equipment are located with the expectation (usually justified) of finding discarded but still-valuable equipment to be nursed back to health in some hacker’s den. Experienced dumpster divers frequently accumulate basements full of moldering (but still potentially useful) stuff. (http://www.phonelosers.org)

Dynamic NAT Provides for mapping a private IP address to a public IP address from a group of registered IP addresses. In this type of NAT, there is a one-to-one relationship in the mapping from private to public. For example, if your PC was assigned an internal IP address of 10.0.0.2 and your coworker was 10.0.0.3, each of you would be assigned a public IP address at the firewall via NAT as your traffic went to the Internet.

EAP (Extensible Authentication Protocol) A Layer 2 (MAC address layer) security protocol that exists at the authentication stage of the security process for a wireless network.

encryption A means of achieving data security by translating it using a key (password). Encryption prevents the password or key from being easily readable in the configuration file.

ESP (Encapsulated Security Protocol) A security protocol that provides data confidentiality and protection with optional authentication and replay-detection services. ESP completely encapsulates user data. It can be used either by itself or in conjunction with AH. ESP runs using the TCP protocol on ports 50 and 51 and is documented in RFC 2406.

Extranet VPNs A type of VPN that allows secure connections with business partners, suppliers and customers for the purpose of e-commerce. Extranet VPNs are an extension of intranet VPNs with the addition of firewalls to protect the internal network.

firewalking A concept and tool that enables an attacker to send specially crafted packets through a firewall to determine what ports and services are permitted through the firewall. An attacker with this knowledge can make their port scans hidden and thus map your network through your firewall.

firewall A networking device deployed at the point where private network resources connect to the public Internet and protect networked computers from hostile actions that could compromise internal computers, thereby resulting in data corruption or a denial of service to authorized users. Firewalls can be dedicated hardware devices or specialized software. Before the term “firewall” was used for a component of a computer network, it described a wall that was designed to contain a fire. A brick-and-mortar firewall is designed to contain a fire in one part of a building and thus prevent it from spreading to another part of the building. Any fire that can erupt inside a building stops at the firewall and does not spread to other parts of the building. Therefore, a network firewall will hopefully stop any attack.

GRE (generic routing encapsulation) A method of encapsulating any network layer protocol over any other network layer protocol. The general specification is described in RFC 1701, and RFC 1702 defines the encapsulation of IP packets using IP. In general, GRE encapsulates a packet called the payload packet, and another protocol called the delivery protocol forwards it to its destination.

hash Basically a grinder that takes something recognizable, such as beef or pork (metaphorically speaking), hashes it, and ends up with something based on the original, but unique—in this case, hamburger or sausage.

hashcheck A comparison method used when using a one-way hash operation like MD5. A hashcheck is the comparison of a calculated message digest against the received message digest to verify that the message has not been tampered with.

HIDS (Host-based Intrusion Detection Sensors) Specialized software applications that are installed on a computer (typically a server) and that watch all inbound and outbound communication traffic to and from that server and monitor the file system for changes. HIDS are extremely effective on mission-critical Internet accessible application servers such as web or e-mail servers because they can watch the application at its source to protect it.

Honeypot A highly flexible computer system on the Internet that is customized to be a security tool and is expressly set up to attract and “trap” people who attempt to penetrate other people’s computer systems through probes, scans, and intrusions.

IDS (Intrusion Detection System) A security service that monitors and analyzes system events for the purpose of finding (and providing real-time or near real-time warning of) attempts to access system resources in an unauthorized manner.

IKE (Internet Key Exchange) A security association (SA) that provides negotiation, peer authentication, key management, and key exchange. As a bidirectional protocol, IKE provides a secure communication channel between two devices that is used to negotiate an encryption algorithm, a hash algorithm, an authentication method, and any relevant group information. It uses key exchange based on Diffie-Hellman algorithms, and network administrators can closely tie IKE with policy management systems.

Infrastructure A wireless LAN (WLAN) mode of operation that requires the use of a Basic Service Set (BSS) that is a wireless access point. The access point is required to allow for wireless computers to connect not only to each other, but also to a wired network. Most corporate WLANs operate in Infrastructure mode because they require access to the wired LAN to use services such as printers and file servers.

inline wiretap A method of capturing packets by placing a physical tap in between (that is, inline between) two network devices. Plugged into this tap would be the Network-based Intrusion Detection Sensor (NIDS).

integrity A method that ensures that the packet the receiving party receives has not been altered during transmission. This is achieved via the use of a one-way hash algorithm.

intrusion detection Intrusion detection involves the ongoing monitoring of network traffic by looking at each packet for potential misuse or policy violations. Intrusion detection matches network traffic against lists of attack signatures to look for patterns of misuse.

IPS (Intrusion Prevention Systems) Systems designed to prevent an attack from being successful at the earliest possible moment. IPS work in conjunction with an Intrusion Detection System (IDS).

IPSec SA (IPSec Security Association) IPSec SA is unidirectional and thus requires that separate IPSec SAs be established in each direction. IPSec SA is a two-phase, three-modes procedure. In phase 1, two modes can be used—main mode and aggressive mode. In phase 2, the only mode available is called quick mode. The end user has no control over which mode is chosen; rather, the selection is automatic and depends on the configuration parameters set up by both peers.

ISAMKP (Internet Security Association and Key Management Protocol) A framework that defines the mechanics of implementing a key exchange protocol and negotiating a security policy. ISAKMP is used for secure exchanges of both SA parameters and private keys between peers in an IPSec environment, as well as key creation and management.

L2F (Layer Two Forwarding) A tunneling protocol developed by Cisco Systems. L2F is similar to the PPTP protocol developed by Microsoft in that it enables organizations to set up virtual private networks (VPNs) that use the Internet backbone to move connect distant sites.

L2TP (Layer Two Tunneling Protocol) An extension of the Point-to-Point Tunneling Protocol (PPTP) that is documented in RFC 2661 and is used to enable the operation of a virtual private network (VPN) over the Internet. RFC 3193 defines using L2TP over a secure IPSec transport. In this approach, L2TP packets are exchanged over User Datagram Protocol (UDP) port 1701. IPSec Encapsulating Security Payload (ESP) protects UDP payload to ensure secure communication. Cisco and Microsoft agreed to merge their respective L2TP, consequently adopting the best features of two other tunneling protocols: PPTP from Microsoft and Layer 2 Forwarding (L2F) from Cisco Systems.

LAC (L2TP access concentrator) An L2TP device to which the client directly connects and whereby PPP frames are tunneled to the L2TP network server (LNS). The LAC needs to only implement the media over which L2TP operates to pass traffic to one or more LNS. It might tunnel any protocol carried within PPP.

layered security A network design concept that implements security consistently at as many points as possible throughout a network. This design concept combats the weaknesses of a network with just a single point of defense.

least access When access is granted, this principle requires that it is done in as limited a manner as possible, while still allowing the purpose such a connection was granted to be accomplished. In a more functional definition, if access was granted so a user can FTP to a specific server, that is all that she should be allowed to do; therefore, she has the least access possible.

LNS (L2TP network server) A termination point for an L2TP tunnel and access point where PPP frames are processed and passed to higher layer protocols. The LNS operates on any platform that is capable of PPP termination, and both Cisco and Microsoft have solutions. The LNS handles the server side of the L2TP protocol.

MD5 (Message Digest 5) Developed in 1994 by Rivest, MD5 is a one-way hash algorithm that takes any length of data and produces a 128-bit nonreversible fingerprint known as a hash. MD5 is officially described in RFC 1321. This output hash/fingerprint cannot be reverse engineered to determine the data that was used to produce it. Functionally, this means that it is impossible to derive the original file contents from the MD5; this is why they call it one-way.

NAT (Network Address Translation) An IP address mechanism deployed and implemented on a device (firewall, router, or computer) that sits between an internal network using private IP addresses and the Internet, which uses public IP addresses. The device performing the Address Translation from private to public is usually a firewall and, to a lesser extent, a router. The device performing NAT usually sits with one part connected to the internal network and another part connected to the Internet (or some external network).

NIDS (Network-based Intrusion Detection Sensor) An IDS that resides directly on the network and watches all traffic traversing the network. NIDS are effective at both watching for inbound/outbound traffic flows, and traffic between hosts on or between local network segments. NIDS are typically deployed in front of and behind firewalls and VPN gateways to measure the effectiveness of those security devices and to interact with them to add more depth to your network’s security.

NMAP (“Network Mapper”) An open source utility for network exploration or security auditing. Although it works fine against single hosts, NMAP was designed to rapidly scan large networks. It uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. NMAP runs on most types of computers, and both console and graphical versions are available. NMAP is free software that is available with full source code under the terms of the GNU GPL. (http://www.insecure.org)

OAKLEY A key exchange protocol that defines how to acquire authenticated key information. The basic mechanism for OAKLEY is the Diffie-Hellman key exchange algorithm. You can find the standard in RFC 2412, The OAKLEY Key Determination Protocol.

open key authentication An authentication method used during the associating phase between a wireless client and a wireless access point. This default authentication method is considered the easiest to use, although it provides no security whatsoever.

overloading A form of dynamic Network Address Translation (NAT) that provides for the translation of multiple private IP addresses to a single public IP address by using different TCP ports. Known also as PAT (Port Address Translation) or single address NAT, this type of NAT is the most commonly used because it serves large numbers of users at once.

packet filtering One of the oldest and most common types of packet inspection technologies available, packet filtering begins by inspecting the contents of a packet to determine whether the contents match the criteria based on a predetermined set of applied rules. If the packet contents match these rules, the packet is allowed. The packet is dropped if the contents do not match the rules of the preset packet filtering rules.

packet sniffer An application that enables the user to capture all packets going out over a single or multiple Ethernet connection for later inspection. These “sniffer” applications grab the packet, analyze it, and reveal the data payload contained within. The theft of an authorized user’s identity poses one of the greatest threats caused by a packet sniffer.

PAP (Password Authentication Protocol) An authentication protocol that could be used and, because of its poor encryption, it has been considered deprecated. PAP uses “clear text” during the authentication process so, in my opinion, offers “no” encryption.

passive reconnaissance Steps a hacker takes to learn more about a potential target through means that do not alert the target to what is occurring. Examples include dumpster diving, visual observation of companies buildings, observing and eavesdropping on employees, packet sniffer (usually easy to do if target has wireless improperly deployed), and researching the target through commonplace tools on the Internet such as nslookup.

PKI (Public Key Infrastructure) An evolving security technology that will eventually become an IETF standard. The goal of PKI is to provide a foundation for a system that will support a variety of security services, such as data integrity, data confidentiality, and nonrepudiation. PKI will provide through a combination of hardware, software, procedures, and policies so users can communicate and securely exchange information regardless of location.

POLP (Policy of Least Privilege) A network security practice where access decisions are based on the concept of “block everything and allow only what is needed to conduct business.” This is the default action of Cisco firewalls.

port mirroring Also known as port spanning, depending on the switch you are using, this technique tells the switch to send copies of every packet that (for example) are to be sent to the port your firewall is plugged into to another port. The Network-Based Intrusion Detection Sensor (NIDS) is connected to this mirrored port.

PPTP (Point-to-Point Tunneling Protocol) A protocol (set of communication rules) that allows corporations to extend their own corporate network through private “tunnels” over the public Internet. Effectively, a corporation uses a wide-area network (WAN) as a single large local area network. A company no longer needs to lease its own lines for wide-area communication, but it can securely use the public networks. This kind of interconnection is known as a virtual private network (VPN).

proxy See application level firewall.

RADIUS (Remote Authentication Dial-In User Service) A client-server based system that secures a Cisco network against intruders. RADIUS is a protocol that is implemented in Cisco IOS Software that sends authentication requests to a RADIUS server. A RADIUS server is a device that has the RADIUS daemon or application installed. RADIUS must be used with AAA to enable the authentication, authorization, and accounting of remote users.

remote access VPN A type of VPN that allows individual dialup users to connect to a central site across the Internet or other public network service in a secure way. This type of VPN is a user-to-LAN connection that allows employees that have a need to connect to the corporate LAN from the field. Their systems use special VPN Client software that enables a secure link between themselves and the corporate LAN. Typically, a corporation that wishes to set up a large remote access VPN provides some form of Internet dialup account to its users using an ISP. The telecommuters can then dial a toll free number to reach the Internet and use their VPN client software to access the corporate network. A good example of a company that needs a remote access VPN would be a large firm with hundreds of sales people in the field. Remote access VPNs are sometimes referred to as soft (as in software-based) VPNs, virtual private dialup networks (VPDN), or dial VPNs. Users pay a low “fixed cost” to a local ISP using a local call and therefore no long distance fees.

Rogue APs Deployed wireless access points (WAPs) that have not been officially authorized for use within a company by its IT department. Rogue APs can leave a company’s network vulnerable to attacks.

RSA A public key cryptographic algorithm (named after its inventors, Rivest, Shamir, and Adleman) with a variable key length. RSA’s main weakness is that it is significantly slow to compute compared to popular secret-key algorithms, such as DES. Cisco’s IKE implementation uses a Diffie-Hellman exchange to get the secret keys. This exchange can be authenticated with RSA (or preshared keys). With the Diffie-Hellman exchange, the DES key never crosses the network (not even in encrypted form), which is not the case with the RSA encrypt and sign technique. RSA is not public domain, and it must be licensed.

script kiddie (sometimes spelled kiddy) Coined by the more sophisticated hackers of computer security systems, a derogative term for the more immature, but unfortunately often just as dangerous exploiter of security lapses on the Internet.

security protocol A secure procedure for regulating data transmission between computers.

shared key authentication An authentication method used during the associating phase between a wireless client and a wireless access point. When the access point is set to shared key authentication, an access point is transmitted a challenge key after a client device associates with the access point. The client device encrypts the challenge key using WEP and returns it to the access point. The client device is allowed to transmit if the proper WEP encryption is used.

shunning An attack prevention technique that allows the IDS to automatically configure your prescreening router or firewall to deny traffic based on what it has detected, thereby shunning the connection. As Intrusion Detection Systems (IDS) become more advanced; this shunning is evolving into a new term—blocking—where an IDS contacts a router or firewall and creates an access control list (ACL) to block the attacking IP address.

site survey A process by which someone deploying a wireless LAN can detect (among other things) other wireless access points that are configured to broadcast on the same channel as the intended deployed NIC.

Site-to-Site VPNs A type of VPN used to extend a company’s existing LAN to other buildings and sites through use of dedicated equipment so that remote employees at these locations can utilize the same network services. These types of VPNs are considered actively connected at all times. Site-to-Site VPNs are sometimes referred to as hard (as in hardware-based) VPNs, Intranet, or LAN-to-LAN VPNs.

smurf attack A type of denial of service (DoS) attack that exploits the use of the Internet Control Message Protocol (ICMP, a.k.a. PING) and IP’s network and broadcast addresses. A smurf attack’s purpose is to disable a target host or network by consuming all of its resources; aside from this, it causes no permanent damage.

sniping An attack prevention technique that allows the Intrusion Detection System (IDS) to terminate a suspected attack using a TCP Reset packet or an ICMP unreachable message.

social engineering A term used to define hacking techniques whose goal is to fool people into revealing passwords or other potentially sensitive information that compromises a target system’s security. Classic social engineering scams include phoning up a target that has the required information and posing as a field service technician or a fellow employee with an urgent problem.

SPI (Stateful Packet Inspection) An advanced technique of packet inspection usually implemented in a firewall so TCP/IP connections can be more closely inspected.

split tunneling A method by which a remote VPN user or site is allowed to access a public network (the Internet) at the same time that he accesses the private VPN without placing the public network traffic inside the tunnel first.

SSID (Service Set Identifier) A 32-bit character that identifies a wireless network. By default, the header of the wireless packet’s broadcast includes the SSID from a wireless access point (WAP) every 10 milliseconds. The SSID differentiates one WLAN from another; therefore, all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device is not permitted to join the wireless network unless it can provide the unique SSID. It is strongly recommended that WAPs have the broadcasting of their SSID disabled.

SSL (Secure Socket Layer) A certificate-generating protocol whereby a web browser confirms the validity of the SSL certificate and proceeds to communicate in a secure mode with the server so you can complete a secure web-based transaction.

static NAT Provides for mapping a private IP address to a public IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network—for example, if your web server has an internal IP address of 10.0.0.1 and it needs to be accessible from the Internet—it is your web server after all! NAT must be statically configured to allow users who go to a public IP address to always be translated to 10.0.0.1. The use of static NAT is quite common for devices like web servers that always need to be accessible from the Internet.

syslog (System Message Logging) Syslog provides a means for the system and its running processes to report various types of system state information. There are three classes of system state data: error, informational, and debug. Cisco IOS Software provides an extensive system message and error reporting facility. In fact, IOS uses more than 500 service identifiers known as “facilities” to categorize system state data for error and event message reporting. System logging data is an important resource in diagnosing problems in general and, when sued by the Firewall Feature Set, it allows for the reporting of events.

TACACS (Terminal Access Controller Access Control System) A client/server-based system that secures a Cisco network against intruders. Three methods of TACACS exist: TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username and password.

TCP/IP Model A functional protocol model similar to the OSI reference model and consisting of five layers.

VPN (virtual private network) A network constructed using a public network, such as the Internet, to connect systems to a main site, typically the headquarters. VPNs use encryption mechanisms to protect data that is transmitted across the Internet. Additional protections are also put in place to ensure that only authorized users or devices can connect via a VPN.

VPN-aware firewall This type of firewall either has special software that understands VPNs or dedicated hardware that allows for the encryption/decryption of user data.

VPN Concentrator A dedicated hardware device whose only role in a network is to allow VPNs to connect to it, thereby allowing users access to other network resources.

vulnerability scanning A proactive process that scans systems to determine whether they can be exploited using software that seeks out known security flaws in software.

WapChalking Variant of WarChalking set up by the Wireless Access Point Sharing Community, an informal group whose code of conduct forbids the use of wireless access points without permission. The group uses the WarChalking marks as an invitation to wireless users to join its community. In WapChalking terms, the two half-moon open node mark means that a wireless access device is currently indicating factory default settings and is thus easily detected.

WarChalking The practice of marking a series of symbols on sidewalks and walls to indicate nearby wireless access. This way, other computer users can open their laptops and wirelessly connect to the Internet for free. WarChalking was inspired by the practice of hobos during the Great Depression of using chalk marks to indicate which homes were friendly.

WarDialing An early form of hacking involving dialing random numbers in hopes of finding a modem attached to a computer.

WarDriving The act of driving around in a vehicle to look for unsecured wireless networks. Part of the appeal here is that you can now use GPS systems that are connected to your laptop, which are then powered by your car. This makes the act of WarDriving accurate and potentially rewarding for people looking for an unsecured wireless network because they can cover a much larger area with a vehicle than by simply walking.

WarFlying (a.k.a. WarStorming) The act of searching for unsecured wireless networks while flying in an airplane. This act was first recorded in Perth, Australia.

WarSpamming The act of sending spam after hijacking an unsecured connection to a wireless LAN.

WEP (Wired Equivalent Privacy) A method intended to give wireless users the security equivalent to being on a wired network. With WEP turned on, when a packet is transmitted from one access point to a client device, the packet is first encrypted by taking the packet’s data and a secret 40-bit number and passing them both through an encryption algorithm called RC4. The resulting encrypted packet is then transmitted to the client device. When the client device receives the WEP encrypted packet, it uses the same 40-bit number to pass the encrypted data through RC4 algorithm backward, resulting in the client receiving the data. Of course, this process occurs in reverse, and a client device is transmitting data to an access point.

Wi-Fi (Wireless Fidelity) The commonly used term to describe 802.11 wireless networks. Wi-Fi also refers to certification by the Wi-Fi Alliance, an international nonprofit association of 802.11 product vendors. 802.11 products that receive Wi-Fi certification have been tested and found to be interoperable with other certified products.

wireless networking A term referring to radio technology that enables two or more computers to communicate using standard network protocols such as IP but without cables.

zombie computer A computer, typically Windows-based, that has been compromised and, without the knowledge of its owner, has had a DDoS Program installed that will control the generation of packets toward the intended victim. Zombie Computers are also known as agents because they respond to commands from other systems.

zombie network A term used in a DDoS attack that describes the linking of multiple zombie computers into a “virtual” distributed network, allowing the hacker to coordinate their operation to initiate a DDoS against a target. The installation of one of the four commonly acknowledged DDoS programs—TFN, TFN2K, Trinoo, and Stacheldraht—is key in this network.